How long does it take to catch a wild kangaroo?

Transcription

1 How long does it take to catch a wild kangaroo? Ravi Montenegro Prasad etali December 3, 008 arxiv: v1 [mathpr] 3 Dec 008 Abstract he discrete logarithm problem asks to solve for the exponent x, given the generator g of a cyclic group G and an element h G such that g x = h We give the first rigorous proof that Pollard s Kangaroo method finds the discrete logarithm in expected time (3+o(1)) b a when the logarithm x [a, b], and ( + o(1)) b a when x uar [a, b] his matches the conjectured time complexity and, rare among the analysis of algorithms based on Markov chains, even the lead constants and 3 are correct Keywords: Pollard s Kangaroo method, digital signature, discrete logarithm, Markov chain, mixing time 1 Introduction Cryptographic schemes are generally constructed in such a way that breaking them will likely require solving some presumably difficult computational problem, such as finding prime factors or solving a discrete logarithm problem Recall that the discrete logarithm problem asks to solve for the exponent x, given the generator g of a cyclic group G and an element h G such that g x = h he Diffie-Hellman key exchange, ElGamal cryptosystem, and the US government s DSA (Digital Signature Algorithm) are all based on an assumption that discrete logarithm is difficult to find A Birthday Attack is a common approach towards solving these problems, and although heuristics can be given for the time complexity of these methods, rigorous results are rare In [3] we examined one such method, namely Pollard s Rho Algorithm to find the discrete logarithm on a cyclic group G, and verified the correctness of commonly held intuition his work generated further interest among some of the experts in cryptography, and Dan Boneh [1] in particular encouraged us to analyze Pollard s Kangaroo method [5], due to its very many applications When the discrete logarithm x is known to lie in a small interval [a,b] with b a G, this algorithm is expected to improve on the Rho algorithm, with a run time averaging b a steps, versus (π/) G for the Rho algorithm In fact, for some cyclic groups the Kangaroo method is the most efficient means known for finding discrete logarithm over an interval, as Shanks baby-step giant-step method requires too much memory Among the cases in which this would be useful, Boneh and Boyen [] give a signature scheme in which a shorter signature can be transmitted if the receiver uses the Kangaroo method to determine the missing information Verification of the time complexity of the Kangaroo method (as we do Department of Mathematical Sciences, University of Massachusetts at Lowell, Lowell, MA 01854, USA ravi montenegro@umledu School of Mathematics and School of Computer Science, Georgia Institute of echnology, Atlanta, GA 3033, USA tetali@mathgatechedu; research supported in part by NSF grants DMS ,

2 here) would then make rigorous their claim that the missing bits can be efficiently constructed While the above is an application for signature communication, another natural application is in forging a signature For instance, in order to speed up computation of a signature the secret key x may be chosen from an interval [a,b] with b a G, or an attack might reveal a sequence of consecutive bits at the beginning or end of the key, in which cases the Kangaroo method can be used to find the key and forge a signature he Kangaroo method is based on running two independent sequences of hops (random walks), one starting at a known state (the tame kangaroo ) and the other starting at the unknown value of the discrete logarithm x (the wild kangaroo ) he main result of this paper will be a bound on the expected number of steps required by the kangaroos before the logarithm is determined In particular, we find that for the Distinguished Points implementation of the Kangaroo method, heorem 11 Suppose g,h G are such that h = g x for some x [a,b] he expected number of group operations required by the Kangaroo method is (3 + o(1)) b a If x uar [a,b] then the expected number of group operations is ( + o(1)) b a We show matching upper and lower bounds, so the lead constants are sharp, which is rare among the analyses of algorithms based on Markov chains Previously the first bound was known only by rough heuristic, while Pollard [6] gives a convincing but not completely rigorous argument for the second Given the practical significance of Pollard s Kangaroo method for solving the discrete logarithm problem, we find it surprising that there has been no fully rigorous analysis of this algorithm, particularly since it has been 30 years since it was first proposed in [5] Although our approach borrows a few concepts from the study the Rho algorithm in [3], such as the use of a second moment method to study the number of intersections, a significant complication in studying this algorithm is that when b a G the kangaroos will have proceeded only a small way around the cyclic group before the algorithm terminates As such, mixing time is no longer a useful notion, and instead a notion of convergence is required which occurs long before the mixing time We expect that the tools developed in this paper to avoid this problem will prove useful in examining other randomized algorithms he paper proceeds as follows In Section we introduce the Kangaroo method A general framework for analysing intersection of independent walks on the integers is constructed in Section 3 his is followed by a detailed analysis for the Kangaroo method in Section 4 he Appendix contains the proof of a technical lemma used in Section 3 Preliminaries We describe here the Kangaroo method, originally known as the Lambda method for catching Kangaroos he Distinguished Points implementation of [4] is given, rather than the original implementation of [5], as the former is more efficient Problem: Given g,h G, solve for x [a,b] with h = g x Method: Pollard s Kangaroo method (with distinguished points) Preliminary Steps:

3 Define a set D of distinguished points, with D G = c for some constant c Define a set of jump sizes S = {s 0,s 1,,s d } We consider powers of two, S = { k } d k=0, with d = log b a + log log b a chosen so that elements of S average Finally, a hash function F : G S he Algorithm: Let X 0 = a+b, Y 0 = x, and d 0 = 0 Observe that g Y 0 = hg d 0 Recursively define X i+1 = X i + F(g X i ) and likewise d i+1 = d i + F(hg d i ) his implicitly defines Y i+1 = Y i + F(g Y i ) = x + d i+1 If g X i D then store the pair (g X i,x i X 0 ) with an identifier (for tame) Likewise if g Y i = hg d i D then store (g Y i,d i ) with an identifier W (for wild) Once some distinguished point has been stored with both identifiers and W, say g X i = g Y j where (g X i,x i X 0 ) and (g Y j,d j ) were stored, then X i Y j x + d j mod G = x X i d j mod G he X i walk is called the tame kangaroo because its position is known, whereas the position Y j of the wild kangaroo is to be determined by the algorithm his was originally known as the Lambda method because the two walks are initially different, but once g X i = g Y j then they proceed along the same route, forming a λ shape heorem 11 makes rigorous the following commonly used rough heuristic: Suppose X 0 Y 0 Run the tame kangaroo infinitely far Since the kangaroos have an average step size b a, one expects the wild kangaroo requires b a/ X 0 Y 0 steps to reach X 0 Subsequently, at each step the probability that the wild kangaroo lands on a spot visited by the tame kangaroo is roughly 1 p = /, so the expected number of additional steps by the wild kangaroo until a collision is then around p 1 = By symmetry the tame kangaroo also averaged p 1 steps About additional steps are required until a distinguished point is reached Since X i and Y i are incremented simultaneously the total number of steps taken is then ( ) X0 Y 0 b a + p 1 + (3 + c 1 ) b a b a/ c If Y 0 = x uar [a,b] then E X 0 Y 0 / = b a and the bound is ( + c 1 ) b a We make only two assumptions in our analysis First, that the hash F : G S is a random function, ie if g G then F(g) is equally likely to be any value in S, independent of all other F(g ) Second, that the distinguished points are well distributed with c (b a) ; either they are chosen uniformly at random, or if c = Ω(d log d) then roughly constant spacing between points will suffice he assumption on distinguished points can be dropped if we instead analyze Pollard s (slower) original algorithm, to which our methods also apply Both assumptions are made in most discussions of the Kangaroo method [7, 4, 6], and so are quite acceptable c 3

4 3 Uniform Intersection ime and a Collision Bound In order to understand our approach to bounding time until the kangaroos have visited a common location, which we call a collision, it will be helpful to consider a simplified version of the Kangaroo method First, observe by the assumption about the hash F : G S that X i and Y j are independent random walks at least until they collide, and so to bound time until this occurs it suffices to assume they are independent random walks even after they have collided Second, these are random walks on Z/ G Z, so if we drop the modular arithmetic and work on Z then the time until a collision can only be made worse hird, since the walks proceed strictly in the positive direction on Z then in order to determine the number of hops the tame kangaroo (described by X i ) takes until it meets the wild kangaroo (ie X i = Y j on Z), it suffices to run the wild kangaroo infinitely long and only after this have the tame kangaroo start hopping With these simplifications the problem reduces to one about intersection of walks X i and Y j, both proceeding in the positive direction on the integers, in which Y j proceeds an infinite number of steps and then X i proceeds some N steps until j, X N = Y j hus, rather than considering a specific probability Pr[X i = Y j ] it is better to look at Pr[ j, X i = Y j ] By symmetry, the same approach will also bound the expected number of hops the wild kangaroo requires to reach a location the tame kangaroo visits First however, because the walk does not proceed long enough to approach its stationary distribution (true on both Z/ G Z and more obviously on Z), alternate notions resembling mixing time and a stationary distribution will be required Definition 31 Consider a Markov chain P on Z which is non-decreasing, ie P(u,v) > 0 only when v u Let X i and Y j denote independent walks starting at states (X 0,Y 0 ) Ω Z Z, for some set of permitted initial states Ω v Z {(v,v)} For fixed ǫ [0,1], the uniform intersection time (ǫ) N and uniform intersection probability U R + are such that i (ǫ) : (1 ǫ)u Pr( j, X i = Y j ) (1 + ǫ)u We do not attempt to show a general existence result for uniform intersection time and probability, as our primary interest is in the Kangaroo method Also, to avoid clutter we write to denote (ǫ) in the remainder A natural approach is to consider an appropriate random variable counting the number of intersections of the two walks owards this, let S N denote the number of times the X i walk intersects the Y j walk in the first N steps, ie S N = 1 { j: Xi =Y j } he second moment method used will involve showing that Pr[S N > 0] is non-trivial for some N Our collision bound will involve the quantity B, an upper bound on the expected number of collisions in the first steps between two independent walks o be precise, define: B = max (X 0,Y 0 ) Ω Pr[ j, X i = Y j ] hen the expected number of steps until a collision can be bounded as follows 4

5 heorem 3 Consider a non-decreasing Markov chain on Z, two independent walks with starting states (X 0,Y 0 ) Ω, and uniform intersection time and probability = (ǫ) and U respectively hen 1 B U(1 + ǫ) E min{i > 0 : j, X i = Y j } (1 4ǫ) 1 If B,ǫ 0 and U 1 then these bounds show that E min{i > 0 : j, X i = Y j } 1 U ( ) 1 + B + U It will prove easiest to study S N by first considering the first and second moments of the number of intersections in steps + 1 to N, ie S N = i=+1 1 { j: Xi =Y j }, in terms of the uniform intersection time and probability: Lemma 33 Under the conditions of heorem 3, if N then (1 ǫ)(n )U E[S N ] (1 + ǫ)(n )U, [ E[SN ] (1 + ǫ) (N ) U B ] (N )U his is a technical lemma and offers little insight into our proof, so it is left for the Appendix We now upper and lower bound the probability of an intersection in the first N steps: Lemma 34 Under the conditions of heorem 3, if N then [ B + (N )U(1 + ǫ) Pr[S N > 0] (1 4ǫ) B ] 1 (N )U Proof Observe that Pr[S N > 0] Pr[S N > 0], so for the lower bound it suffices to consider S N Recall the standard second moment bound: using Cauchy-Schwartz, we have that E[S N ] = E[S N 1 {SN >0}] E[S N] 1/ E[1 {SN >0}] 1/ and hence Pr[S N > 0] E[S N ] /E[SN ] By Lemma 33 then, independent of starting point, ( ) 1 ǫ [ Pr[S N > 0] B ] 1 (1 4ǫ)[ B ] 1, 1 + ǫ (N )U (N )U ( since 1 ǫ 1+ǫ) 1 4ǫ, for ǫ 0 Now to upper bound Pr[S N > 0] Since S N N then Pr[S N > 0] = E[1 SN >0] E[S N ] 5

6 he expectation E[S N ] satisfies E[S N ] = E 1 { j, Xi =Y j } = E[1 { j, Xi =Y j }] = Pr[ j, X i = Y j ] + i=+1 B + (N )U(1 + ǫ) Pr[ j, X i = Y j ] Proof of heorem 3 First, we upper and lower bound Pr[S kn = 0] for every k 1 For l 1, let S (l) N N = 1 { j: X(l 1)N+i =Y j }, so that S (1) N = S N hus Pr[S kn = 0] = Pr[S N = 0]Pr[S N = 0 S N = 0] Pr[S kn = 0 S (k 1)N = 0] k = Pr[S (l) N = 0 S (l 1)N = 0] l=1 By taking X 0 X (l 1)N and Y 0 min{y j : Y j > X (l 1)N }, we may bound: Hence ( [ B + (N )U(1 + ǫ) 1 Pr[S (l) N = 0 S (l 1)N = 0] (1 4ǫ) B ] 1 (N )U 1 (1 4ǫ) [ B ] ) 1 k Pr[S kn = 0] (1 B (N )U(1 + ǫ)) k (N )U hese upper and lower bounds will now be used to bound the collision time First, the upper bound E min{i : S i > 0} = E 1 Si =0 = 1 + Pr[S i = 0] i=0 i=0 Pr[S kn = 0]N ( [ N 1 (1 4ǫ) B ] ) 1 k (N )U k=0 ( = (1 4ǫ) 1 N B ) (N )U (1+B his is minimized when N = + ) U, which gives the upper bound of the theorem k=0 6

7 o show the lower bound, take E min{i : S i > 0} = Pr[S i = 0] i=0 N = N Pr[S kn = 0]N k=1 (1 B (N )U(1 + ǫ)) k k=1 ( ) 1 B + (N )U(1 + ǫ) 1 If B 1 then the bound stated in the theorem is trivial, so assume B < 1 If B (1 B ) < U(1 + ǫ) then the maximum of the above bound is at N = In this case the bound is ( ) 1 E min{i : S i > 0} N 1 1 B B U(1 + ǫ) When B (1 B ) U(1 + ǫ) then the maximum is at N = γ(1 γ) U(1+ǫ), where the quantity γ = B U(1 + ǫ) In this case the bound is E min{i : S i > 0} ( 1 B U(1 + ǫ) U(1 + ǫ) ) (1 B ) U(1 + ǫ) o bound the value of B it will prove easier to consider those intersections that occur early in the Y j walk separately from those that occur later Lemma 35 Let τ be such that whenever (X 0,Y 0 ) Ω then hen Proof Recall that Pr[{X i } {Y j } j>τ ] γ B γ + B = τ (1 + j)max u,v Pj (u,v) j=1 max (X 0,Y 0 ) Ω Pr( j, X i = Y j ) When j > τ then Pr[ j > τ : X i = Y j ] Pr[{X i } {Y j} j>τ ] γ When j τ then Pr[ j τ : X i = Y j ] = j=0 τ τ P i (X 0,v)P j (Y 0,v) j j=1 i=0 v max w,x Pj (w,x)max u τ (1 + j)max w,x Pj (w,x) j=1 7 P i (u,v) v

8 he second inequality follows by letting j denote the larger of the two indices and i the smaller he final equality is because v Pi (u,v) = 1 4 Catching Kangaroos he collision results of the previous section will now be applied to the Kangaroo method he first step in bounding collision time will be to bound the uniform intersection time and probability his will be done by selecting some d of the first steps of the X i walk (for suitable i), and using these to construct a uniformly random d-bit binary string which is independent of the specific step sizes taken on other steps his implies that the X i walk is uniformly distributed over some interval of d elements, and so the probability that some Y j = X i will be exactly the expected number of times the Y j walk visits this interval, divided by the interval size (ie d ) hroughout we take Ω = {(X 0,Y 0 ) : X 0 Y 0 < X 0 + d } Lemma 41 If (X 0,Y 0 ) Ω and i = (d + 1) (1 + log (d + 1)) then Pr( j, X i = Y j ) / 1 b a 3 3 log b a d, ie when ǫ = 3 d then one may take (ǫ) = as above and U = Proof he tame kangaroo will be implemented by choosing k uar {0,1,,d} and then flipping a coin to decide whether to increment by k or k+1 (if k = d then increment by d or 0 ) We say generator k has been chosen if value k was chosen, even though the step size taken may not be k Consider the tame kangaroo For k {0,1,,d 1} let δ k denote the step taken the first time generator k is chosen, so that δ k k uar {0, k } Also, let be the first time all of the generators have been chosen (including d ) Define δ = d 1 k=0 (δ k k ) uar {0,1,, d 1} and let I i denote the sum of all increments except those incorporated in a δ k, so that if i then X i = X 0 + I i + d 1 + δ Suppose i hen δ is independent of the value of I i, and so X i uar [X 0 + I i + d 1,X 0 + I i + d+1 1) Observe that X 0 + I i + d 1 X 0 + d 1 Y 0 Since the average non-zero step size for Y j is (recall d was chosen to guarantee this) then Pr( j, X i = Y j i ) = E {Y j } [X 0 + I i + d 1,X 0 + I i + d+1 1) d d /( 1 b a) d ) d = (1 b a b a log b a Similarly, an upper bound of + d follows by taking ceiling instead of floor Next, consider By the Coupon Collector s problem E( ) = (d + 1)H d+1 where H n = n l=1 l 1 is the n-th harmonic number By Markov s Inequality Pr[ (d + 1)H d+1 ] 1/ and 8

9 so if α = d + 1 then Pr [ α(d + 1)H d+1 ] = α Pr [ l(d + 1)H d+1 (l 1)(d + 1)H d+1 ] l=1 α = (d+1) Since H n ln n n, we get in turn Pr[ > ] (d+1) o finish, Pr[ j, X i = Y j ] = (1 Pr[ > ])Pr[ j, X i = Y j ] +Pr[ > ]Pr[ j, X i = Y j > ] Since all probabilities are in [0,1], and 0 Pr[ > ] (d+1) then Pr[ j, X i = Y j ] Pr[ j, X i = Y j ] (d+1) It remains only to upper bound B his will be shown by breaking up the sum of Lemma 35 into two parts Let κ = 5 d + 1 When j κ then it will be shown that with high probability every step size taken was distinct, in which case the sum of the step sizes is a random (d + 1) bit binary string containing exactly j ones, ie uniform over ( d+1) j possibilities When j > κ then with high probability at least κ distinct step sizes have been chosen, in which case a random κ-bit binary string is extracted as in the proof of Lemma 41 and used to show the maximum probability of a state is at most κ Lemma 4 If = (d + 1) (1 + log (d + 1)) then B = o d (1) Proof his will be shown by applying Lemma 35 o bound P j (u,v) we set X 0 = u and consider X j for j {1,,,τ}, where τ is to be determined later Recall that κ = 5 d + 1 First suppose 1 j κ Assume d so that j < d + 1 Implement the kangaroo walk in the obvious way, ie choose k {0,1,,d} and increment by k Let E denote the event that all j increment sizes were distinct hen Pr[E] = (d + 1)d (d + j) (d + 1) j ( ) d + j j 1 d + 1 j(j 1) d + 1 because (1 x) n 1 nx if x [0,1] and n N hen max v P j (u,v) = max Pr[X j = v] v = max Pr[E]Pr[X j = v E] + Pr[E]Pr[X j = v E] v 1 1 ( d+1 j ) + (1 Pr[E]) 1 1 j(j 1) + 4(d + 1) 3/5 d + 1 d + 1 If d = 1 then trivially P j (u,v) 4(d + 1) 3/5 64 hen κ j=1 (j + 1)max P j (u,v) (1 + κ) 4(d + 1) 3/5 = o d (1) v 9

10 Before calculating the remaining terms in the sum, a value for τ in Lemma 35 is needed Note that trivially X X 0 + d Let Y be a random increment of the Y walk hen ] Pr [ Y d = 1 + log (d + 1) d + 1 d + 1 A Chernoff bound can be used here If j (d+1) 1+log (d+1) the expected number of steps of size at least d d+1 is µ = (d + 1) so that E[Y j X 0 ] E[Y j Y 0 ] d With δ = 1/ then Pr[Y j X 0 + d ] e µδ / e 4(d+1)3 (1+log (d+1))/8 (d+1) It thus suffices to take τ = (d+1) 1+log (d+1) = 4(d + 1)4, with γ = (d+1) and γ = o d (1) Finally, suppose κ < j τ Implement the kangaroo walk as in the proof of Lemma 41, and likewise assume the same terminology Let S denote the set of distinct generators that have been chosen excluding d, so that S d, and observe that k S (δ k k ) uar { S elements}, so that if I j is the sum of all increments except those used the first time an element of S was chosen then Pr[X j = v S, I j ] S It follows that Pr[X j = v S ] S Hence, if E denotes the event that κ or fewer distinct generators have been chosen, so that E implies S κ, then max u,v Pj (u,v) Pr[E] 1 + Pr[E] 1 κ ( )( ) d + 1 κ j κ d + 1 κ (d + 1) κ (d + 1) 4j/5 + κ (d + 1) 3 5 κ + κ It follows that τ j=κ+1 ( (1 + j)max u,v Pj (u,v) (1 + τ) (d + 1) 3 5 κ + κ) = o d (1) We can now prove the main result of the paper Proof of heorem 11 Note that the group elements g (k) can be pre-computed, so that each step of a kangaroo requires only a single group multiplication As discussed in the heuristic argument of Section, an average of X 0 Y 0 / steps are needed to put the smaller of the starting states (eg X 0 < Y 0 ) within d of the one that started ahead If the Distinguished Points are randomly distributed then the heuristic for these points is again correct If instead they are roughly constantly spaced and c = Ω(d log d) then observe that in the proof of Lemma 41 it was established that after = (ǫ) = (d + 1) (1 + log (d + 1)) steps the kangaroos will be nearly uniformly random over some interval of length d+1 = 1 b alog b a, so if the Distinguished Points are uniformly distributed and cover a average of c such samples are needed, which amounts to 10 c fraction of vertices then an c = o(1) b a extra steps

11 It remains to make rigorous the claim regarding p 1 In the remainder we may thus assume that X 0 Y 0 d 3 ake ǫ = log b a 3 d By Lemma 41 the uniform intersection time is = (ǫ) = (d + 1) (1 + log (d + 1)) with uniform intersection probability U = b a, while by Lemma 4 also B = o(1) he upper bound of heorem 3 is then ( 1 + o(1)) b a he lower bound of heorem 3 is then ( 1 o(1)) b a Acknowledgments he authors thank Dan Boneh for encouraging them to study the Kangaroo method References [1] D Boneh, Private Communication [] D Boneh and X Boyen, Short Signatures Without Random Oracles, Proc of Eurocrypt 004, LNCS 307, pp (004) [3] J-H Kim, R Montenegro, Y Peres and P etali, A Birthday Paradox for Markov chains, with an optimal bound for collision in the Pollard Rho Algorithm for Discrete Logarithm, Proc of the Algorithmic Number heory Symposium (ANS-VIII), Springer LNCS 5011, pp (008) [4] PC van Oorschot and MJ Wiener, Parallel collision search with cryptanalytic applications, Journal of Cryptology, vol 1 no 1, pp 1 8 (1999) [5] J Pollard, Monte Carlo methods for index computation mod p, Mathematics of Computation, vol 3 no 143, pp (1978) [6] J Pollard, Kangaroos, Monopoly and Discrete Logarithms, Journal of Cryptology, vol 13 no 4, pp (000) [7] E eske, Square-root Algorithms for the Discrete Logarithm Problem (A Survey), in Public- Key Cryptography and Computational Number heory, Walter de Gruyter, Berlin - New York, pp (001) Appendix he proof of Lemma 33 was left to the Appendix: Proof he expectation E[S N ] satisfies E[S N ] = E i=+1 1 j, Xi =Y j = i=+1 E[1 j, Xi =X j ] (N )U(1 ǫ) (1) he inequality is because E[1 j, Xi =X j ] = Pr[ j, X i = X j ] he upper upper bound follows by taking (1 + ǫ) in place of (1 ǫ) 11

12 Now for E[SN ] Note that E[S N] = E = ( N i=+1 k=+1 i=+1 k=+1 1 j, Xi =Y j 1 l, Xk =Y l ) Pr( j,l : X i = Y j, X k = X l ) By symmetry it suffices to consider the case that k i > Also, observe that if X i = Y j then X k = Y l is possible only if l j, because the X and Y walks proceed in the positive direction on the integer line When k > i + then Pr( l, X k = Y l X i = Y j ) U(1 + ǫ) by definition of, and so When k i + then i+ k=i+1 since i It follows that ( E[S N ] = Pr( j,l : X i = Y j, X k = Y l ) = Pr( j : X i = Y j )Pr( l, X k = Y l X i = Y j ) (1 + ǫ) U Pr( j,l : X i = Y j, X k = Y l ) Pr( j : X i = Y j )max u B U(1 + ǫ), N i=+1 + Pr( l, X k = Y l X 0 = Y 0 = u) k=1 Pr( j : X i = Y j ) + i=+1 k=i+ +1 i+ k=i+1 Pr( j,l : X i = Y j, X k = X l ) Pr( j,l : X i = Y j, X k = X l ) (1 + ǫ)u(n )(1/ + B ) + (1 + ǫ) U (N )(N + 1) ] (1 + ǫ) U (N ) [1 1 + B + (1 + ǫ)u(n ) ) 1